AWS CodeBuild unanchored pull-request filter misconfiguration security flaw
Vulnerability
Summary
Hide ▲
Show ▼
AWS CodeBuild had an unanchored pull-request filter flaw that let untrusted PRs run privileged builds, creating takeover risk for core AWS GitHub repositories and the AWS Console supply chain.
Related Happenings
Amazon Q Developer MCP trust flaw (CVE-2026-12957)
Vulnerability
H score32
First: 26.06.2026 16:53
Last: 26.06.2026 16:53
Sources 1
About this happening:
**Amazon Q Developer** had a **high-severity** trust-boundary flaw in **MCP server** handling that could let a malicious repository trigger commands on a developer machine and ste...
Amazon Q Developer MCP trust flaw (CVE-2026-12957)
VulnerabilityAbout this happening: **Amazon Q Developer** had a **high-severity** trust-boundary flaw in **MCP server** handling that could let a malicious repository trigger commands on a developer machine and ste...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical Analysis
H score25
First: 16.03.2026 15:00
Last: 16.03.2026 15:00
Sources 1
About this happening:
Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical AnalysisAbout this happening: Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
AWS CodeBuild ACTOR_ID regex bypass security flaw
Vulnerability
H score33
First: 15.01.2026 21:31
Last: 15.01.2026 21:31
Sources 1
About this happening:
**AWS CodeBuild**'s **ACTOR_ID regex filters** were misconfigured, allowing a build-trigger bypass that could expose privileged GitHub tokens and enable repository takeover. The f...
AWS CodeBuild ACTOR_ID regex bypass security flaw
VulnerabilityAbout this happening: **AWS CodeBuild**'s **ACTOR_ID regex filters** were misconfigured, allowing a build-trigger bypass that could expose privileged GitHub tokens and enable repository takeover. The f...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical Analysis
H score28
First: 14.01.2026 00:12
Last: 14.01.2026 00:12
Sources 1
About this happening:
**VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical AnalysisAbout this happening: **VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
VoidLink modular Linux malware framework for cloud and container operations
Malware Activity
H score28
First: 13.01.2026 16:31
Last: 13.01.2026 16:31
Sources 1
About this happening:
Researchers uncovered **VoidLink**, a new **Linux malware framework** that expands **C2**, **persistence**, and **post-exploitation** options against **cloud and container environ...
VoidLink modular Linux malware framework for cloud and container operations
Malware ActivityAbout this happening: Researchers uncovered **VoidLink**, a new **Linux malware framework** that expands **C2**, **persistence**, and **post-exploitation** options against **cloud and container environ...
Latest development: 21.01.2026 14:51
Check Point Research concluded that the VoidLink Linux malware targeting Linux-based cloud servers was largely built by AI, likely under the direction of one person, after reviewing exposed planning documents, AI-generated documentation, and the malware's rapid evolution from concept to a working framework in about four weeks rather than the planned 30 weeks.
Timeline
-
15.01.2026 17:00 2 articles · 5mo ago
CodeBreach exposed AWS CodeBuild pull-request filter bypass
Technical Analysis UpdateWiz Research disclosed CodeBreach, a critical AWS CodeBuild misconfiguration in the pull-request trigger path that let untrusted pull requests bypass an unanchored ACTOR_ID regex, run privileged builds, steal GitHub credentials from build memory, and gain control of core AWS GitHub repositories including aws/aws-sdk-js-v3; AWS said it anchored the affected regex filters, revoked exposed credentials, and added the Pull Request Comment Approval build gate.
Show sources
- CodeBuild Flaw Put AWS Console Supply Chain At Risk — www.infosecurity-magazine.com — 15.01.2026 17:00
- CodeBuild Flaw Put AWS Console Supply Chain At Risk — www.infosecurity-magazine.com — 15.01.2026 17:00